Platform
python
Component
changedetection-io
Fixed in
0.54.5
0.54.4
CVE-2026-29065 describes a Zip Slip vulnerability affecting changedetection-io versions up to 0.54.3. This flaw allows attackers to overwrite arbitrary files on the system during the backup restore process by crafting malicious ZIP archives with path traversal sequences. The vulnerability stems from insufficient validation of file paths during extraction. A patch is available in version 0.54.4.
The Zip Slip vulnerability in changedetection-io poses a significant risk because it allows for arbitrary file overwrites. An attacker could upload a specially crafted ZIP archive containing path traversal sequences (e.g., ../) to bypass the intended extraction directory. This could lead to the overwriting of critical system files, configuration files, or even executable binaries, potentially granting the attacker complete control over the affected system. The impact is particularly severe if the changedetection-io instance runs with elevated privileges or has access to sensitive data. Successful exploitation could result in a complete system compromise, data exfiltration, or denial of service.
CVE-2026-29065 was publicly disclosed on 2026-03-04. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is relatively high due to the straightforward nature of Zip Slip vulnerabilities and the availability of tools to create malicious ZIP archives.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
The primary mitigation for CVE-2026-29065 is to upgrade changedetection-io to version 0.54.4 or later, which includes the necessary path validation fixes. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the backup restore functionality to trusted users only. Implement strict file system permissions to limit the potential impact of a successful overwrite. Consider using a Web Application Firewall (WAF) to filter potentially malicious ZIP archive uploads, although this is not a substitute for patching. Monitor system logs for unusual file modification activity.
Update changedetection.io to version 0.54.4 or higher. This version fixes the Zip Slip vulnerability that allows arbitrary file overwrites during backup restoration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29065 is a high-severity vulnerability in changedetection-io versions up to 0.54.3 that allows attackers to overwrite files via path traversal in uploaded ZIP archives during backup restore.
You are affected if you are running changedetection-io versions prior to 0.54.4. Check your version and upgrade immediately if vulnerable.
Upgrade changedetection-io to version 0.54.4 or later to patch the vulnerability. Restrict access to the restore functionality as a temporary measure.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is easily exploitable and should be patched promptly.
Refer to the changedetection-io project's official release notes and security advisories on their GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.